RSA Security 5.2.2 manual Client/Server Applications

Applications of Cryptography

4.Perform the encryption and decryption using the RC4 cipher with the established key. If the application requires multiple session keys, use a message digest on the agreed-upon secret value and a counter to generate a new key.

There is an attack against this kind of protocol known as “man-in-the-middle.” Someone could intercept all messages between the two parties and pose as each individual’s other participant. For example, if Alice wants to communicate with Bob, she sends a message to initiate a session. The man-in-the-middleintercepts Alice’s message, builds a secure session with Alice, and initiates his own session with Bob. Now, all messages Alice sends to Bob go through the attacker. The man-in-the-middle decrypts Alice’s messages based on the session he created with Alice and saves the results to examine later. He then re-encrypts the message based on the session he created with Bob. If a particular application is vulnerable to such an attack, it is advisable to use a peer-to-peer protocol (see page 86) instead.

Client/Server Applications

A client/server application is distinguished by one central server node that provides services to several client nodes. Many client/server applications have a need for cryptographic tools. For example:

•Network applications: Any network that connects several computer nodes to one central server, such as a local or wide area network, can use cryptography to establish secure communications between the clients and the server. The network can also employ authentication to guarantee that intruders do not have access to the network.

•Database applications: Multiple clients — in this case, database queries — need access to a server — the database. To ensure that not all fields in the database are accessible to all clients, restricted fields can be encrypted or signed. In addition, by distributing secret shares among authorized personnel, you can ensure that very sensitive data can be accessed only according to the security rules.

•Cryptographic smart cards: Here, you must authenticate users to service providers such as banks. A smart card holds the individual private keys and includes a processor that runs the cryptographic algorithms needed to achieve the appropriate authentication level.

In all these applications, the server generates a public/private key pair for use with all clients requiring secure communications. The server uses the private key to sign digital certificates for all nodes that require access to the server and its resources.

It also starts a public key table to register client RSA public keys. Each client computes an RSA public/private key pair when it is first established as a secure client. The